The line src/phyp/phyp_driver.c:427 was crashing by buffer overflow
if the return of the command wasn't <=10. The highest number for a
LPAR ID is 256 per machine, no need to allocate 10 bytes for it. So,
adjusting the correct size (+1 byte for the '\n') and checking for
errors.
---
src/phyp/phyp_driver.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/phyp/phyp_driver.c b/src/phyp/phyp_driver.c
index ee1e21b..f8fd29b 100644
--- a/src/phyp/phyp_driver.c
+++ b/src/phyp/phyp_driver.c
@@ -383,7 +383,7 @@ phypListDomainsGeneric(virConnectPtr conn, int *ids, int nids,
int got = 0;
char *char_ptr;
unsigned int i = 0, j = 0;
- char id_c[10];
+ char id_c[4];
char *cmd = NULL;
char *ret = NULL;
const char *state;
@@ -394,7 +394,7 @@ phypListDomainsGeneric(virConnectPtr conn, int *ids, int nids,
else
state = " ";
- memset(id_c, 0, 10);
+ memset(id_c, 0, 4);
virBufferAddLit(&buf, "lssyscfg -r lpar");
if (system_type == HMC)
@@ -410,6 +410,11 @@ phypListDomainsGeneric(virConnectPtr conn, int *ids, int nids,
ret = phypExec(session, cmd, &exit_status, conn);
+ if (strlen(ret) > 4) {
+ VIR_ERROR0(ret);
+ goto err;
+ }
+
/* I need to parse the textual return in order to get the ret */
if (exit_status < 0 || ret == NULL)
goto err;
--
1.7.0.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list